This rule detects the execution of the 'gdrive' tool on Windows systems, which allows users to interact with Google Drive from the command line. Intrusions may leverage this tool to exfiltrate sensitive data or stage additional tools. The detection utilizes data from Endpoint Detection and Response (EDR) systems focusing on specific command-line execution patterns and process names associated with Google Drive. The search query collects events where 'gdrive.exe' or similar processes were executed and filters based on various associated command line actions such as download and upload. Implementation requires ingestion of logs from EDR agents that contain necessary data about process executions and mappings to the Splunk Common Information Model (CIM) for consistency in data handling.